Edit This Favorite

Nonprofit Cybersecurity: Why Pay Attention?

By SHEELA NIMISHAKAVI

“Online Access.” Credit: Danny Oosterveer

When performing a risk assessment, many organizations focus on issues such as loss of funding and reputational damage. Yet data breaches, which can cause just as much harm to the nonprofit, largely get overlooked. Nonprofits collect sensitive data, which can include donor information, health information, Social Security numbers, confidential emails, employee and volunteer records, and billing information. But, very few organizations can be confident that they do not store any of this information, so it needs to be protected.

The first wave of hacking seemed to only target large companies that stored masses of sensitive data. Stories about credit card numbers and contact information being stolen from retail stores made major news headlines. These days, unfortunately, it looks as if cybercriminals have discovered the gold mine that is nonprofit data.

Back in February, Nonprofit Quarterly featured a story about an email scam targeting nonprofit organizations for their employee W-2 information. In Muncie, Indiana, a small nonprofit organization called the Little Red Door had all their data stolen from their server and held ransom for a whopping $43,000. If the nonprofit paid, the hackers claimed, they would return the data and not publish it. Leadership considered their options and since they did not have any data that they thought was sensitive, they did not pay the ransom. Although information that the hackers could use was not stored, they did take to Twitter, posting letters that the organization wrote, and the organization was traumatized by the event. A similar scenario occurred at a Los Angeles nonprofit hospital, but, considering the highly sensitive information they stored on their server, the hospital opted to pay the hackers to the tune of $14,000 and regain access to their data.

It’s not only ransom money that organizations can lose. Cyber-crimes cause customers—or, in the case of nonprofits, donors—to lose faith in organizations. Hacking exposes vulnerabilities in nonprofits’ systems and can make some donors feel as if the organization did not value them enough to enforce proper safeguards that protect their information.

Data indicate that in the last two years, there has been a 270 percent increase in cyber-crime victims, and there are signs that hackers are targeting smaller businesses because they are less likely to have sophisticated security measures. Given this growing number of incidents, nonprofits need to invest in cybersecurity. Fortunately, this may not need to be an unrealistic cost burden, as there are organizations such as Cybrary (or Marquette's Center for Cyber Security Awareness and Cyber Defense) that teach the public about cybersecurity.

Weak or nonexistent password policies: If a nonprofit allows vendors or members to access info on its network via a password, a comprehensive password policy needs to be enacted. Nonprofits should consider using a two-factor authentication and minimum lengths for passwords. Mixing up the types of characters used (numbers, letters, symbols) and not using words found in dictionaries are typically strong passwords.

Falling victim to phishing and malicious links in emails and website pop-ups: Professional training is helpful to teach employees how to protect against malware, viruses, spyware and other items with just the click of a mouse button. Often times these ‘phishing emails’ ask the recipient for login information, credit card numbers or other personal private information.Strict policies should be developed on what employees can download from the internet.

Old, unsupported software: With tight budgets, many nonprofits are still using old software that no longer is supported by its developer. Consider investing in upgraded computers. The older the operating system the more vulnerable computers and networks are to data breaches.

Using open-source software: This type of software is extremely susceptible to data breaches.

Not using a reputable online payment processor: Nonprofits take membership dues and fees for events and conferences. If a nonprofit doesn’t use a reputable online payment processor, it is vulnerable.

Lax security measures: Policies should be in place to ensure laptops, desktops and mobile devices are wiped clean, and access is denied whenever an employee leaves the company.

Importantly, nonprofits must recognize that they are more vulnerable to cyber-crime than they think. Whether or not a nonprofit collects sensitive data that can be used by criminals, such as Social Security numbers or credit card information, the nonprofit runs the risk that its oversight will cause a breach of trust with the organization’s supporters. It is much more difficult to regain the public’s trust than it is to regain funds.